Overcoming Wi-Fi Security Fears

Welcome to the wireless revolution—well in progress. Head down to the local consumer electronics superstore, and you can have Wi-Fi—the wireless LAN protocol also known as 802.11b—access running at home or in your office in no time. Many new laptops already ship with built-in Wi-Fi, and earlier this year Intel released a new laptop chip, Centrino, designed specifically for mobile (and Wi-Fi) operations.

Two concerns still plague Wi-Fi, especially for would-be enterprise users: usability and security. The two are related, since the easiest and quickest way to connect to a wireless connection (known as a hotspot) is to disable Wi-Fi security. That, of course, leaves corporate data unencrypted and vulnerable to attack.

“Wi-Fi is still not as easy to use as users want, but, more importantly, it is inherently insecure,” notes Matthew Kovar, an analyst with Boston-based Yankee Group. “Depending on where you are and how you access a hotspot, there can be several elements that require configuration” in order to get any security. Yet public hotspot providers are in the game to make money, and often just disable security altogether, since it means easier user access.

To address the need for secure corporate access via Wi-Fi, whether from café, airport, or office, Redwood Shores, Calif.-based iPass Inc. released iPassConnect 3.0, an interface for iPass Corporate Access enterprise connectivity. The Windows software and service offer users a secure way to connect while on the go, no matter if it’s to Wi-Fi hotspots, on-campus wireless LANs, or broadband connected to a Wi-Fi router at home. The upgrade sports an improved interface and user experience, and a new, location-specific (rather than connection-specific) approach to logging on.

To log on, a user enters his or her location in the iPass software. If any iPass Enterprise-Ready Wi-Fi hotspots are in range, the user gets the option to connect, and iPassConnect configures and secures the user’s Wi-Fi hardware accordingly. The important consideration is ease-of-use: as with existing dial-up software on corporate laptops, users need only enter their location, then click to connect. Note that if there’s an available Wi-Fi connection in the area that's not part of the iPass network, the user won’t even see it.

iPass authentication works with a range of existing corporate databases, including NT domains, Active Directory, Unix flat files, and LDAP. When a user connects via Wi-Fi, iPass also encrypts user credentials, from the computer through to the actual provider, since many hotspots are insecure.

“The first thing the software does is get the user authenticated and onto the iPass network. Once there's a successful connection, we can launch VPN software automatically for the user, and we will be creating a VPN connection to the corporation's VPN switch,” says DePaoli. The software can also ensure that VPN, anti-virus, and personal firewall software keep running. Deactivate any of those, and iWire disables the connection.

The alternative to an approach such as iPass, or its competitor, GRIC (Global Roaming Internet Corp.), is to disallow wireless access, or kludge together an approach via homegrown technology and corporate security policies, and hope users don’t deactivate security controls.

An all-in-one approach can simplify administration as well, says Vickie Ellis, a division manager at farm equipment maker Deere & Co., based in Molina, Ill. “In the past 18 months we were able to easily deploy their service to a targeted portion of our mobile workforce and soon began to realize a cost savings. It was far easier to let iPass handle the network piece, especially since their service worked with our existing VPN solution.” Deere is currently beta testing the iPassConnect 3.0 interface for Wi-Fi.

Mathew Schwartz is a Contributing Editor for Enterprise Systems and is its Security Strategies column, as well as being a long-time contributor to the company's print publications. Mr. Schwartz is also a security and technology freelance writer.